Security Disclosure
MedallionDirect is operated by North Capital Private Securities (NCPS), a FINRA member broker-dealer and SEC-registered investment advisor. We take vulnerability reports seriously and follow coordinated disclosure.
Reporting
Do not open a public GitHub issue for security vulnerabilities. Report privately by email to security@northcapital.com and include:
- A description of the vulnerability and its potential impact
- Steps to reproduce (proof-of-concept, if applicable)
- Affected component or URL path
- Any mitigations you are aware of
We acknowledge receipt within 2 business days and provide a remediation timeline within 5 business days. Critical issues (exploitable in production, data exfiltration risk) are prioritized for same-day triage.
Scope
In scope:
- This website and the MedallionDirect application
- The infrastructure that hosts it
- Authentication and authorization flows
- Document upload and storage handling
Out of scope:
- North Capital's other products and services
- Third-party services we integrate with (Stripe, Cognito, Cal.com) — report directly to those vendors
- Findings on the legacy prototype that this rebuild replaces
Disclosure policy
We follow coordinated disclosure. We ask that you:
- Give us reasonable time to remediate before public disclosure (90 days from acknowledgment is our target; we will communicate if a complex fix needs more time).
- Avoid accessing, modifying, or exfiltrating data you do not own.
- Avoid disrupting production service.
We will credit reporters in the associated remediation announcement unless you request anonymity.
Regulatory context
MedallionDirect handles nonpublic personal information (NPI) subject to SEC Regulation S-P (17 CFR Part 248), books-and-records subject to SEC Rule 17a-4 and FINRA Rule 4511, and U.S. state privacy laws (CCPA and equivalents). Vulnerabilities involving NPI exposure or audit-log integrity are treated as priority incidents regardless of technical severity.